US8683568B1 - Using packet interception to integrate risk-based user authentication into online services - Google Patents

Using packet interception to integrate risk-based user authentication into online services Download PDF

Info

Publication number
US8683568B1
US8683568B1 US13/239,863 US201113239863A US8683568B1 US 8683568 B1 US8683568 B1 US 8683568B1 US 201113239863 A US201113239863 A US 201113239863A US 8683568 B1 US8683568 B1 US 8683568B1
Authority
US
United States
Prior art keywords
user
web
layer
based application
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/239,863
Inventor
Anton Khitrenovich
Oded Peer
Oleg Freylafert
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EMC Corp
Original Assignee
EMC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EMC Corp filed Critical EMC Corp
Priority to US13/239,863 priority Critical patent/US8683568B1/en
Assigned to EMC CORPORATION reassignment EMC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FREYLAFERT, OLEG, KHITRENOVICH, ANTON, PEER, ODED
Application granted granted Critical
Publication of US8683568B1 publication Critical patent/US8683568B1/en
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to EMC IP Holding Company LLC reassignment EMC IP Holding Company LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EMC CORPORATION
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to EMC CORPORATION, EMC IP Holding Company LLC, DELL MARKETING L.P., MAGINATICS LLC, DELL PRODUCTS L.P., DELL USA L.P., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL SOFTWARE INC., SCALEIO LLC, MOZY, INC., FORCE10 NETWORKS, INC., DELL SYSTEMS CORPORATION, DELL INTERNATIONAL, L.L.C., WYSE TECHNOLOGY L.L.C., ASAP SOFTWARE EXPRESS, INC. reassignment EMC CORPORATION RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Assigned to DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), SCALEIO LLC, DELL INTERNATIONAL L.L.C., DELL USA L.P., EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), DELL PRODUCTS L.P. reassignment DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.) RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Assigned to DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), DELL PRODUCTS L.P., EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), DELL INTERNATIONAL L.L.C., SCALEIO LLC, DELL USA L.P. reassignment DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.) RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • Banks and other secure transaction providers are wary to provide online banking applications to customer without ensuring that these applications are secure and that a mechanism is in place to properly authenticate users.
  • encrypted sessions are used between the user and bank, and the user is required to enter a secret password in order to gain access.
  • the online banking application sends usage data to an external authentication server which is able to perform an analysis of usage patterns to authenticate the identity of the user as the proper customer.
  • the above-described conventional approach suffers from deficiencies.
  • the online banking application must be modified to gather and send the usage pattern data to the authentication server.
  • adding in the usage detection and reporting features can be cumbersome and slow, particularly since all changes must be extensively tested to ensure that the security of the system remains intact.
  • certain details are not accessible to be reported to the authentication server.
  • the present disclosure describes techniques for adding risk-based authentication to a pre-existing web-based application without the need to modify the application. Furthermore, these techniques also allow the authentication server to consider additional details in performing the authentication.
  • the risk-based authentication system may be expeditiously integrated into the system without significant modifications to the system by configuring a device to sniff packets on the local network of the banking application website, analyze those packets to generate event information, and send the event information to the authentication server.
  • a method is described, using a network analyzer device connected to a network.
  • the method includes sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and sending the extracted event information to an authentication server for risk-based authentication of the user.
  • sniffing packets traversing the network between a web-based application server and a user machine the user machine being operated by a user
  • analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server
  • sending the extracted event information to an authentication server for risk-based authentication of the user.
  • Corresponding system, apparatus, and computer program products are also described.
  • FIG. 1 illustrates an example system for use in practicing various embodiments.
  • FIG. 2 illustrates an example apparatus according to various embodiments.
  • FIG. 3 illustrates an example logical arrangement in accordance with various embodiments.
  • FIG. 4 illustrates an example method according to various embodiments.
  • FIG. 5 illustrates an example packet for use in practicing various embodiments.
  • Techniques are described herein for using a network analyzer device connected to a local network to sniff packets traversing the network, analyze those packets to generate event information, and send the event information to an authentication server.
  • FIG. 1 illustrates an example system 30 for use in practicing various embodiments.
  • System 30 includes a user machine 32 communicatively coupled to the Internet 34 .
  • User machine may be a computer, a smart phone, or any other electronic device capable of communicating over a computer network.
  • User machine typically is capable of displaying web pages or having similar functionality.
  • Internet 34 is depicted, in some embodiments, any kind of computer network may take its place.
  • a gateway/switch 36 is also communicatively coupled to the Internet 34 .
  • Gateway/switch 36 may be a gateway between Internet 34 and a local network 38 to allow devices on the local network 38 to communicate with devices on the Internet 34 .
  • Gateway/switch 36 may connect to local network 38 via network ports 37 .
  • Gateway/switch 36 may also contain a special network port 39 , as will be described in further detail below.
  • Web-based application servers 40 connect to local network 38 .
  • Gateway/switch 36 may also function to balance loads between the web-based application servers 40 .
  • Web-based application server 40 runs a web-based application 41 , which is accessible by user machine 32 across the Internet. In typical operation, a user runs a web browser on user machine 32 to remotely access the web-based application 41 .
  • web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, such as, for example, an on-line banking application, such as is well-known in the art.
  • NAD 44 Also connected to gateway/switch 36 , either directly, or via local network 38 , is a network analyzer device (NAD) 44 . It should be understood that, although NAD 44 is depicted as separate from gateway/switch 36 , in some embodiments, the functions of NAD 44 may be integrated within gateway/switch 36 . In some embodiments, NAD 44 connects to gateway/switch 36 via a network port 37 . In other embodiments, NAD 44 connects to gateway/switch 36 via special network port 39 configured to mirror all traffic 46 passing through gateway/switch 36 .
  • NAD 44 is configured to at least receive incoming network traffic 48 ( a ) from user machine 32 (aimed at web-based application server 40 ) as well as outgoing network traffic 48 ( b ) from web-based application server 40 (aimed at user machine 32 ).
  • NAD 44 sniffs packets traversing the gateway/switch between the user machine and web-based application server 40 , analyzes them to extract various information, and sends messages 50 containing the extracted information to a risk-based authentication server 42 , which is configured to analyze the extracted information in order to authenticate the identity of a user accessing the web-based application 41 by performing risk-based authentication, such as, for example, by monitoring for risky transactions or other behavior indicative of session hijacking, fraud, or system misuse.
  • Authentication server 42 may utilize any form of risk-based authentication, such as, for example, risk-based adaptive authentication, as is well-known in the art.
  • web-based application 41 may be a pre-existing application in which risk-based authentication functionality is not already present.
  • NAD 44 can then be inserted into the local network 38 and programmed to execute methods described herein to add the risk-based authentication feature without any need to significantly modify the web-based application 41 to support the risk-based authentication.
  • NAD 44 may already be present within local network 38 but not yet configured to perform as described herein (e.g., NAD 44 may have previously been present and configured to perform network security monitoring functions).
  • FIG. 2 depicts an example NAD 44 in further detail.
  • NAD 44 includes a network interface 60 configured to connect, over connection 62 , to risk-based authentication server 42 .
  • NAD 44 also includes means for packet sniffing.
  • means for packet sniffing include a packet sniffer 61 configured to connect to gateway/switch 36 over dedicated connection 64 , such as a network connection or a serial bus connection.
  • Dedicated connection 64 may connect to a mirroring port of gateway/switch 36 , such as, for example, special network port 39 .
  • Packet sniffer 61 may also include logic configured to examine and sort the contents of mirrored packets received from connection 64 .
  • means for packet sniffing may include hardware logic and/or software code configured to examine and sort the contents of packets received at network interface 60 over network connection 62 .
  • means for packet sniffing may include logic configured to examine and sort the contents of all packets passing through gateway/switch 36 .
  • NAD 44 also includes a processor 66 and memory 68 .
  • Processor 66 may be, for example, a central processing unit, a microprocessor, a digital signal processor, a field-programmable gate array, a collection of circuits configured to perform various operations, or another similar device or set of devices configured to perform operations.
  • Memory 68 may include, for example, system memory, cache memory, volatile memory, non-volatile memory, random access memory, read-only memory, non-volatile storage, magnetic storage, optical storage, some combination thereof, or another similar device or set of devices configured to store application programs and or application data.
  • Memory 68 includes a computer program product.
  • the computer program product stores a computer program (CP) 70 within a tangible non-transitory computer-readable storage medium.
  • CP 70 when executed by processor 66 , is configured to cause the processor 66 to perform a method (see FIG. 5 , below) according to one embodiment.
  • CP 70 may be functionally implemented within the collection of circuits in addition to or in lieu of being stored within memory 68 .
  • CP 70 or any piece or portion of software within NAD 44 , is described as performing a method or operation, that method or operation is actually performed by the processor 66 while executing instructions of CP 70 or the piece or portion of software within NAD 44 .
  • Memory 68 also stores a set of sniffed packets 72 , a set of extracted application-layer fields 73 , a set of identified interaction events 74 , a set of extracted lower-layer fields 75 , and a set of ancillary data 76 . Further detail with respect to memory contents 72 - 76 will be provided below, in connection with FIG. 4 .
  • Memory 68 may also store additional items typically stored within memory, such as, for example, an operating system executed by processor 66 , additional application programs, additional application data, and user data (not depicted).
  • FIG. 3 depicts an example logical arrangement 100 of CPP 70 .
  • Logical arrangement 100 includes a decoder module 102 , a concentrator module 104 , and an authentication interface module 106 .
  • Decoder module 102 interfaces over logical connection 112 with packet sniffer 61 (or packet sniffing means), while authentication interface module 106 interfaces over logical connection 114 with network interface 60 to communicate with risk-based authentication server 42 .
  • packet sniffer 61 or packet sniffing means
  • authentication interface module 106 interfaces over logical connection 114 with network interface 60 to communicate with risk-based authentication server 42 .
  • NAD 44 packet sniffer 61
  • modules 102 , 104 , and 106 may each execute on separate machines.
  • Decoder module 102 is configured to parse sniffed packets 72 received via logical connection 112 and to search for patterns and/or extract certain kinds of data.
  • custom parser 103 may be implemented as part of decoder module 102 .
  • multiple machines may be configured to perform packet sniffing of various local networks 38 , each machine running a separate instance of decoder module 102 .
  • Concentrator module 104 aggregates and organizes the data extracted by decoder module 102 and periodically sends it to the authentication interface module 106 . In arrangements having multiple decoder modules 102 , concentrator module 104 arranges the data extracted by each decoder module 102 into an aggregated and organized collection.
  • Authentication interface module 106 periodically receives data from the concentrator module 104 , analyzes it, and sends communications 50 to authentication server 42 via connection 114 .
  • the period of receipt may be, for example, one minute.
  • authentication interface module 106 pulls the data from the concentrator module 104 by periodically polling for new data.
  • concentrator module 104 pushes newly-received data (either periodically or as it is received) to authentication interface module 106 .
  • Transformation component 110 examines the data and identifies interaction events of certain pre-selected types between the user and the web-based application 41 , storing the identified events as the set of identified interaction events 74 . This may be done in consultation with a user/session state map 108 .
  • transformation component 110 also identifies certain ancillary data 76 that relates to the identified events. Further detail of these identifications will be provided below, in connection with FIG. 4 .
  • Authentication interface module 106 eventually packages the events 74 and ancillary data 76 into messages using a structured information exchange protocol (e.g., SOAP) understandable by the risk-based authentication server 42 so that the risk-based authentication server 42 can process that information for risk-based user authentication purposes.
  • SOAP structured information exchange protocol
  • FIG. 4 depicts a method 200 performed by NAD 44 .
  • packet sniffer 61 (or other packet sniffing means) sniffs packets traversing the local network 38 between the web-based application server 40 and the user machine 32 . In some embodiments all packets traversing the network are received by packet sniffer 61 , and packet sniffer 61 disregards any packet whose network-layer source address (e.g., in an IP-based network, the source IP address within an IP packet) or network-layer destination address (e.g., in an IP-based network, the destination IP address within an IP packet) is not the network-layer address of the web-based application server 40 .
  • network-layer source address e.g., in an IP-based network, the source IP address within an IP packet
  • network-layer destination address e.g., in an IP-based network, the destination IP address within an IP packet
  • gateway/switch 36 only sends packets having the network-layer address of the web-based application server 40 within their source or destination fields to the packet sniffer 61 .
  • packet sniffer 61 further analyzes the incoming packets to determine whether or not they originated at or were destined for the web-based application 41 , discarding packets having no relation to the web-based application 41 .
  • Packet sniffer 61 may store all non-excluded/non-discarded packets as sniffed packets 72 within memory 68 .
  • step 220 NAD 44 analyzes the sniffed packets 72 to extract event information relating to interaction events between the user machine 32 and the web-based application server 40 , particularly the web-based application 41 .
  • Step 225 provides further detail of an example implementation of step 220 .
  • NAD 44 examines the sniffed packets 72 in order to detect specific interaction events that occur between the user machine 32 and the web-based application server 40 at the application layer. These specific interaction events at the application layer reflect specific actions performed by the user at the web-based application 41 from the perspective of the web-based application 41 .
  • the web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, then the specific interactions might include (a) the user logging in to the web-based application 41 ; (b) the user changing a login password; and (c) the user changing his user e-mail address.
  • the specific interactions might additionally include (d) the user directing the on-line banking application to make a monetary transfer between the user's account and another specified account; (e) the user adding an approved destination account for transfers; (f) the user modifying information associated with an approved destination account; and (g) the user changing his customer mailing address.
  • Step 225 may be broken down into sub-steps which may be performed by different modules.
  • FIG. 5 is of relevance at this point. It depicts an example sniffed packet 300 .
  • Sniffed packet 300 includes various lower-layer fields 302 (i.e., networking fields that are of a lower order than the application layer—thus, in the OSI model, since the application layer is layer 7 , example lower-layers would include the network layer 3 as well as transport layer 4 and session layer 5 ) as well as an application layer (i.e., OSI layer 7 ) message, such as a web-based (e.g., HTTP) message 304 .
  • lower-layer fields 302 i.e., networking fields that are of a lower order than the application layer—thus, in the OSI model, since the application layer is layer 7 , example lower-layers would include the network layer 3 as well as transport layer 4 and session layer 5 ) as well as an application layer (i.e., OSI layer 7 ) message, such as a
  • decoder module 102 parses web-based message 304 within each sniffed packet 300 to generate a set of extracted application-layer fields 73 .
  • a custom parser 103 may be implemented within decoder module 102 for this purpose, designed to look for specific patterns. For example, one pattern that the custom parser 103 may be configured to search for would be a reference to a specific page (e.g., “/login.jsp”) 308 within an HTTP header 306 . It should be understood that several different specific pages may be searched for by the parser.
  • custom parser 103 may be configured to look for a pattern of the form “Schedule a payment for $[0-9]+.[0-9][0-9] to [a-z ⁇ A-Z]+ on [0
  • the set of extracted application-layer fields 73 may contain several different fields returned by the parser 103 .
  • the fields coming from identical TCP sessions may be grouped together, so that related fields are listed in proximity.
  • authentication interface module 106 correlates the set of extracted application-layer fields 73 with specific interaction events.
  • a transformation component 110 may be implemented within authentication module 106 for this purpose, designed to analyze the set of extracted application-layer fields 73 and extract underlying event information relating to specific actions performed by the user at the web-based application 41 , storing the results as the set of identified interaction events 74 .
  • Transformation component 110 processes elements of the set of extracted application-layer fields 73 having a TCP session in common and grouped into a set of HTTP request-response pairs, which are of use in identifying specific interaction events.
  • transformation component 110 detects a user HTTP POST request for a page called do_payment.jsp having data embedded therewithin (including, for example, a recipient, a date, and a dollar amount), followed by an HTTP response from the web-based application 41 containing the phrase “Payment has been processed,” then transformation component 110 is able to correlate those events with a monetary transfer event (d), storing an indication of that event and the relevant embedded data within a specific event of the set of identified specific events 74 .
  • user/session state map 108 is used by the transformation component 106 to ascertain what events are possibly expected within the context of a particular user.
  • Optional step 230 may be performed in parallel with step 220 .
  • NAD 44 analyzes the sniffed packets 72 to extract ancillary information relating to interaction events between the user machine 32 and the web-based application server 40 , particularly the web-based application 41 .
  • the ancillary information is drawn from a networking layer below the application layer and relates to specific detected events.
  • the ancillary information may be drawn from lower-layer fields 302 in the network layer (layer 3 ), the transport layer (layer 4 ), or the session layer (layer 5 ) of a sniffed packet 300 .
  • Examples of ancillary information that may be drawn from lower-layer fields 302 might include (1) packet size; (2) clock skew between packets; (3) number of simultaneous sessions operated by the user; (4) browser type used by the user; (5) operating system type used by the user; and (6) time interval between service of a web-page by the web-based application server 40 and response by the user machine 32 .
  • custom parser 103 of decoder module 102 extracts the lower-layer fields 302 from the packet and stores them as the set of extracted lower-layer fields 75 . Then, transformation component 110 associates the set of extracted lower-layer fields 75 with particular events of the set of extracted interaction events in order to create the set of ancillary data 76 .
  • authentication interface module 106 Periodically, after performing step 220 and optional step 230 , authentication interface module 106 performs step 240 to send the extracted event information (and ancillary information) to the risk-based authentication server 42 for risk-based authentication of the user.
  • Authentication interface module 106 places the data from the set of identified interaction events 74 (and the data from the set of ancillary data 76 ) into a format understood by the risk-based authentication server 42 using a structured information exchange protocol, for example, using the well-known SOAP protocol, and sends protocol packets to the risk-based authentication server 42 over logical connection 114 and on to network interface 60 to be sent over connection 62 to the risk-based authentication server.
  • a structured information exchange protocol for example, using the well-known SOAP protocol
  • one embodiment includes a tangible non-transitory computer-readable medium (such as, for example, a hard disk, a floppy disk, an optical disk, computer memory, flash memory, etc.) programmed with instructions, which, when performed by a computer or a set of computers, cause one or more of the methods described in various embodiments to be performed.
  • a computer which is programmed to perform one or more of the methods described in various embodiments.

Abstract

Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.

Description

BACKGROUND
Banks and other secure transaction providers are wary to provide online banking applications to customer without ensuring that these applications are secure and that a mechanism is in place to properly authenticate users. In some systems, encrypted sessions are used between the user and bank, and the user is required to enter a secret password in order to gain access.
In one conventional approach, as an online banking application interacts with the user, the online banking application sends usage data to an external authentication server which is able to perform an analysis of usage patterns to authenticate the identity of the user as the proper customer.
SUMMARY
However, the above-described conventional approach suffers from deficiencies. In particular, in the conventional authentication approach, the online banking application must be modified to gather and send the usage pattern data to the authentication server. However, if the online banking application is already deployed prior to the addition of the authentication feature, adding in the usage detection and reporting features can be cumbersome and slow, particularly since all changes must be extensively tested to ensure that the security of the system remains intact. Furthermore, since the usage detection and reporting features are run by the online banking application itself, certain details (such as network-specific details) are not accessible to be reported to the authentication server.
In contrast to the above-described approaches, the present disclosure describes techniques for adding risk-based authentication to a pre-existing web-based application without the need to modify the application. Furthermore, these techniques also allow the authentication server to consider additional details in performing the authentication. In particular, the risk-based authentication system may be expeditiously integrated into the system without significant modifications to the system by configuring a device to sniff packets on the local network of the banking application website, analyze those packets to generate event information, and send the event information to the authentication server.
A method is described, using a network analyzer device connected to a network. The method includes sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and sending the extracted event information to an authentication server for risk-based authentication of the user. Corresponding system, apparatus, and computer program products are also described.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other objects, features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of various embodiments of the invention.
FIG. 1 illustrates an example system for use in practicing various embodiments.
FIG. 2 illustrates an example apparatus according to various embodiments.
FIG. 3 illustrates an example logical arrangement in accordance with various embodiments.
FIG. 4 illustrates an example method according to various embodiments.
FIG. 5 illustrates an example packet for use in practicing various embodiments.
 DETAILED DESCRIPTION
Techniques are described herein for using a network analyzer device connected to a local network to sniff packets traversing the network, analyze those packets to generate event information, and send the event information to an authentication server.
FIG. 1 illustrates an example system 30 for use in practicing various embodiments. System 30 includes a user machine 32 communicatively coupled to the Internet 34. User machine may be a computer, a smart phone, or any other electronic device capable of communicating over a computer network. User machine typically is capable of displaying web pages or having similar functionality. Although Internet 34 is depicted, in some embodiments, any kind of computer network may take its place.
A gateway/switch 36 is also communicatively coupled to the Internet 34. Gateway/switch 36 may be a gateway between Internet 34 and a local network 38 to allow devices on the local network 38 to communicate with devices on the Internet 34. Gateway/switch 36 may connect to local network 38 via network ports 37. Gateway/switch 36 may also contain a special network port 39, as will be described in further detail below. Web-based application servers 40 connect to local network 38. Gateway/switch 36 may also function to balance loads between the web-based application servers 40. Web-based application server 40 runs a web-based application 41, which is accessible by user machine 32 across the Internet. In typical operation, a user runs a web browser on user machine 32 to remotely access the web-based application 41. In one embodiment, web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, such as, for example, an on-line banking application, such as is well-known in the art.
Also connected to gateway/switch 36, either directly, or via local network 38, is a network analyzer device (NAD) 44. It should be understood that, although NAD 44 is depicted as separate from gateway/switch 36, in some embodiments, the functions of NAD 44 may be integrated within gateway/switch 36. In some embodiments, NAD 44 connects to gateway/switch 36 via a network port 37. In other embodiments, NAD 44 connects to gateway/switch 36 via special network port 39 configured to mirror all traffic 46 passing through gateway/switch 36. NAD 44 is configured to at least receive incoming network traffic 48(a) from user machine 32 (aimed at web-based application server 40) as well as outgoing network traffic 48(b) from web-based application server 40 (aimed at user machine 32). As will be explained below in further detail, NAD 44 sniffs packets traversing the gateway/switch between the user machine and web-based application server 40, analyzes them to extract various information, and sends messages 50 containing the extracted information to a risk-based authentication server 42, which is configured to analyze the extracted information in order to authenticate the identity of a user accessing the web-based application 41 by performing risk-based authentication, such as, for example, by monitoring for risky transactions or other behavior indicative of session hijacking, fraud, or system misuse. Authentication server 42 may utilize any form of risk-based authentication, such as, for example, risk-based adaptive authentication, as is well-known in the art.
In one embodiment, web-based application 41 may be a pre-existing application in which risk-based authentication functionality is not already present. NAD 44 can then be inserted into the local network 38 and programmed to execute methods described herein to add the risk-based authentication feature without any need to significantly modify the web-based application 41 to support the risk-based authentication. In some instances, NAD 44 may already be present within local network 38 but not yet configured to perform as described herein (e.g., NAD 44 may have previously been present and configured to perform network security monitoring functions).
FIG. 2 depicts an example NAD 44 in further detail. NAD 44 includes a network interface 60 configured to connect, over connection 62, to risk-based authentication server 42. NAD 44 also includes means for packet sniffing. In some embodiments, as depicted, means for packet sniffing include a packet sniffer 61 configured to connect to gateway/switch 36 over dedicated connection 64, such as a network connection or a serial bus connection. Dedicated connection 64 may connect to a mirroring port of gateway/switch 36, such as, for example, special network port 39. Packet sniffer 61 may also include logic configured to examine and sort the contents of mirrored packets received from connection 64. In other embodiments, not depicted, means for packet sniffing may include hardware logic and/or software code configured to examine and sort the contents of packets received at network interface 60 over network connection 62. In embodiments in which the functions of NAD 44 are integrated within gateway/switch 36, means for packet sniffing may include logic configured to examine and sort the contents of all packets passing through gateway/switch 36.
NAD 44 also includes a processor 66 and memory 68. Processor 66 may be, for example, a central processing unit, a microprocessor, a digital signal processor, a field-programmable gate array, a collection of circuits configured to perform various operations, or another similar device or set of devices configured to perform operations. Memory 68 may include, for example, system memory, cache memory, volatile memory, non-volatile memory, random access memory, read-only memory, non-volatile storage, magnetic storage, optical storage, some combination thereof, or another similar device or set of devices configured to store application programs and or application data.
Memory 68 includes a computer program product. The computer program product stores a computer program (CP) 70 within a tangible non-transitory computer-readable storage medium. CP 70, when executed by processor 66, is configured to cause the processor 66 to perform a method (see FIG. 5, below) according to one embodiment. In some embodiments, for example, when processor 66 is implemented as a collection of circuits configured to perform various operations, CP 70 may be functionally implemented within the collection of circuits in addition to or in lieu of being stored within memory 68. In any event, within this document, whenever CP 70, or any piece or portion of software within NAD 44, is described as performing a method or operation, that method or operation is actually performed by the processor 66 while executing instructions of CP 70 or the piece or portion of software within NAD 44.
Memory 68 also stores a set of sniffed packets 72, a set of extracted application-layer fields 73, a set of identified interaction events 74, a set of extracted lower-layer fields 75, and a set of ancillary data 76. Further detail with respect to memory contents 72-76 will be provided below, in connection with FIG. 4. Memory 68 may also store additional items typically stored within memory, such as, for example, an operating system executed by processor 66, additional application programs, additional application data, and user data (not depicted).
FIG. 3 depicts an example logical arrangement 100 of CPP 70. Logical arrangement 100 includes a decoder module 102, a concentrator module 104, and an authentication interface module 106. Decoder module 102 interfaces over logical connection 112 with packet sniffer 61 (or packet sniffing means), while authentication interface module 106 interfaces over logical connection 114 with network interface 60 to communicate with risk-based authentication server 42. It should be understood that, although only one NAD 44 is depicted and although modules 102, 104, and 106 are depicted together within logical arrangement 100, modules 102, 104, and 106 may each execute on separate machines.
Decoder module 102 is configured to parse sniffed packets 72 received via logical connection 112 and to search for patterns and/or extract certain kinds of data. In some embodiments, custom parser 103 may be implemented as part of decoder module 102. In some arrangements, multiple machines may be configured to perform packet sniffing of various local networks 38, each machine running a separate instance of decoder module 102.
Concentrator module 104 aggregates and organizes the data extracted by decoder module 102 and periodically sends it to the authentication interface module 106. In arrangements having multiple decoder modules 102, concentrator module 104 arranges the data extracted by each decoder module 102 into an aggregated and organized collection.
Authentication interface module 106 periodically receives data from the concentrator module 104, analyzes it, and sends communications 50 to authentication server 42 via connection 114. The period of receipt may be, for example, one minute. In some embodiments, authentication interface module 106 pulls the data from the concentrator module 104 by periodically polling for new data. In other embodiments concentrator module 104 pushes newly-received data (either periodically or as it is received) to authentication interface module 106. Transformation component 110 examines the data and identifies interaction events of certain pre-selected types between the user and the web-based application 41, storing the identified events as the set of identified interaction events 74. This may be done in consultation with a user/session state map 108. In some embodiments, transformation component 110 also identifies certain ancillary data 76 that relates to the identified events. Further detail of these identifications will be provided below, in connection with FIG. 4. Authentication interface module 106 eventually packages the events 74 and ancillary data 76 into messages using a structured information exchange protocol (e.g., SOAP) understandable by the risk-based authentication server 42 so that the risk-based authentication server 42 can process that information for risk-based user authentication purposes.
FIG. 4 depicts a method 200 performed by NAD 44. In step 210, packet sniffer 61 (or other packet sniffing means) sniffs packets traversing the local network 38 between the web-based application server 40 and the user machine 32. In some embodiments all packets traversing the network are received by packet sniffer 61, and packet sniffer 61 disregards any packet whose network-layer source address (e.g., in an IP-based network, the source IP address within an IP packet) or network-layer destination address (e.g., in an IP-based network, the destination IP address within an IP packet) is not the network-layer address of the web-based application server 40. In other embodiments, gateway/switch 36 only sends packets having the network-layer address of the web-based application server 40 within their source or destination fields to the packet sniffer 61. In some embodiments, packet sniffer 61 further analyzes the incoming packets to determine whether or not they originated at or were destined for the web-based application 41, discarding packets having no relation to the web-based application 41. Packet sniffer 61 may store all non-excluded/non-discarded packets as sniffed packets 72 within memory 68.
In step 220, NAD 44 analyzes the sniffed packets 72 to extract event information relating to interaction events between the user machine 32 and the web-based application server 40, particularly the web-based application 41. Step 225 provides further detail of an example implementation of step 220.
In step 225, NAD 44 examines the sniffed packets 72 in order to detect specific interaction events that occur between the user machine 32 and the web-based application server 40 at the application layer. These specific interaction events at the application layer reflect specific actions performed by the user at the web-based application 41 from the perspective of the web-based application 41. For example, if the web-based application 41 is a secure application for conducting secure transactions across potentially remote distances, then the specific interactions might include (a) the user logging in to the web-based application 41; (b) the user changing a login password; and (c) the user changing his user e-mail address. As a more specific example, if the web-based application 41 is an on-line banking application, then the specific interactions might additionally include (d) the user directing the on-line banking application to make a monetary transfer between the user's account and another specified account; (e) the user adding an approved destination account for transfers; (f) the user modifying information associated with an approved destination account; and (g) the user changing his customer mailing address.
Step 225 may be broken down into sub-steps which may be performed by different modules. FIG. 5 is of relevance at this point. It depicts an example sniffed packet 300. Sniffed packet 300 includes various lower-layer fields 302 (i.e., networking fields that are of a lower order than the application layer—thus, in the OSI model, since the application layer is layer 7, example lower-layers would include the network layer 3 as well as transport layer 4 and session layer 5) as well as an application layer (i.e., OSI layer 7) message, such as a web-based (e.g., HTTP) message 304.
Returning to the sub-steps within step 225 of FIG. 4, in sub-step 227, decoder module 102 parses web-based message 304 within each sniffed packet 300 to generate a set of extracted application-layer fields 73. A custom parser 103 (see FIG. 3) may be implemented within decoder module 102 for this purpose, designed to look for specific patterns. For example, one pattern that the custom parser 103 may be configured to search for would be a reference to a specific page (e.g., “/login.jsp”) 308 within an HTTP header 306. It should be understood that several different specific pages may be searched for by the parser. As another example, if the HTTP message 304 includes a web page 310, there may be a pattern embedded within the page that indicates an event of relevance. Thus, custom parser 103 may be configured to look for a pattern of the form “Schedule a payment for $[0-9]+.[0-9][0-9] to [a-z∥A-Z]+ on [0|1]?[0-9][-|/][0-3]?[0-9][-|/]2[0-9][0-9][0-9].” where $[0-9]+.[0-9][0-9] represents a dollar amount, [a-z∥A-Z]+ represents a name of an example recipient, and [0|1]?[0-9][-|/][0-3]?[0-9][-|/]2[0-9][0-9][0-9] represents a date in MM-DD-YYYY or MM/DD/YYYY format using regular expression parsing, the presence of such a pattern indicating that the user (or, possibly, a malicious entity masquerading as the user) is attempting to make a payment.
Once several sniffed packets 72 have been thus parsed, the set of extracted application-layer fields 73 may contain several different fields returned by the parser 103. In some embodiments, the fields coming from identical TCP sessions may be grouped together, so that related fields are listed in proximity.
In sub-step 229, authentication interface module 106 correlates the set of extracted application-layer fields 73 with specific interaction events. A transformation component 110 may be implemented within authentication module 106 for this purpose, designed to analyze the set of extracted application-layer fields 73 and extract underlying event information relating to specific actions performed by the user at the web-based application 41, storing the results as the set of identified interaction events 74. Transformation component 110 processes elements of the set of extracted application-layer fields 73 having a TCP session in common and grouped into a set of HTTP request-response pairs, which are of use in identifying specific interaction events. For example, if transformation component 110 detects a user HTTP POST request for a page called do_payment.jsp having data embedded therewithin (including, for example, a recipient, a date, and a dollar amount), followed by an HTTP response from the web-based application 41 containing the phrase “Payment has been processed,” then transformation component 110 is able to correlate those events with a monetary transfer event (d), storing an indication of that event and the relevant embedded data within a specific event of the set of identified specific events 74. In some embodiments, user/session state map 108 is used by the transformation component 106 to ascertain what events are possibly expected within the context of a particular user.
Optional step 230 may be performed in parallel with step 220. In optional step 230, NAD 44 analyzes the sniffed packets 72 to extract ancillary information relating to interaction events between the user machine 32 and the web-based application server 40, particularly the web-based application 41. The ancillary information is drawn from a networking layer below the application layer and relates to specific detected events. For example, the ancillary information may be drawn from lower-layer fields 302 in the network layer (layer 3), the transport layer (layer 4), or the session layer (layer 5) of a sniffed packet 300. Examples of ancillary information that may be drawn from lower-layer fields 302 might include (1) packet size; (2) clock skew between packets; (3) number of simultaneous sessions operated by the user; (4) browser type used by the user; (5) operating system type used by the user; and (6) time interval between service of a web-page by the web-based application server 40 and response by the user machine 32.
In one embodiment, custom parser 103 of decoder module 102 extracts the lower-layer fields 302 from the packet and stores them as the set of extracted lower-layer fields 75. Then, transformation component 110 associates the set of extracted lower-layer fields 75 with particular events of the set of extracted interaction events in order to create the set of ancillary data 76.
Periodically, after performing step 220 and optional step 230, authentication interface module 106 performs step 240 to send the extracted event information (and ancillary information) to the risk-based authentication server 42 for risk-based authentication of the user. Authentication interface module 106 places the data from the set of identified interaction events 74 (and the data from the set of ancillary data 76) into a format understood by the risk-based authentication server 42 using a structured information exchange protocol, for example, using the well-known SOAP protocol, and sends protocol packets to the risk-based authentication server 42 over logical connection 114 and on to network interface 60 to be sent over connection 62 to the risk-based authentication server.
Thus, techniques have been described for expeditiously adding a risk-based authentication feature to a secure web-based application 41 by performing packet sniffing on the local network 38 of the web-based application 41, analyzing the sniffed packets 72 to detect specific application-layer interaction events, and sending communications to the authentication server 42 in order to communicate those events for risk-based authentication purposes. Techniques have also been described for sending ancillary information from lower layers of the sniffed packets 72 for enhanced risk-based authentication.
While various embodiments of the invention have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
It should be understood that although various embodiments have been described as being methods, software embodying these methods is also included. Thus, one embodiment includes a tangible non-transitory computer-readable medium (such as, for example, a hard disk, a floppy disk, an optical disk, computer memory, flash memory, etc.) programmed with instructions, which, when performed by a computer or a set of computers, cause one or more of the methods described in various embodiments to be performed. Another embodiment includes a computer which is programmed to perform one or more of the methods described in various embodiments.
Furthermore, it should be understood that all embodiments which have been described may be combined in all possible combinations with each other, except to the extent that such combinations have been explicitly excluded.
Finally, nothing in this Specification shall be construed as an admission of any sort. Even if a technique, method, apparatus, or other concept is specifically labeled as “prior art” or as “conventional,” Applicants make no admission that such technique, method, apparatus, or other concept is actually prior art under 35 U.S.C. §102, such determination being a legal determination that depends upon many factors, not all of which are known to Applicants at this time.

Claims (22)

What is claimed is:
1. A method, performed by a network analyzer device connected to a network, the method comprising:
sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
sending the extracted event information to an authentication server for risk-based authentication of the user;
wherein:
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
the specific interaction events include events drawn from a set of application-layer events;
the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
the web-based application server provides a secure online banking service to the user as the web-based application.
2. The method of claim 1 wherein sniffing packets traversing the network between the web-based application server and the user machine includes capturing packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
3. The method of claim 1 wherein examining the sniffed packets to detect the specific interaction events that occur between the user machine and the web-based application server at the application-layer includes:
parsing web-based messages within the sniffed packets to generate a set of extracted application-layer fields; and
correlating the set of extracted application-layer fields with the specific interaction events.
4. The method of claim 1 wherein the set of application-layer events including: the user logging in to the web-based application server;
the user changing a login password; and the user changing a user e-mail address.
5. The method of claim 4 wherein the set of application-layer events further includes:
the user directing the secure online banking service to make a monetary transfer;
the user adding an approved destination account for transfers;
the user modifying information associated with an approved destination account; and
the user changing a customer mailing address.
6. The method of claim 4 wherein the method further comprises:
analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
7. A method, performed by a network analyzer device connected to a network, the method comprising:
sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
sending the extracted event information to an authentication server for risk-based authentication of the user;
wherein:
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
the specific interaction events include events drawn from a set of application-layer events including:
the user logging in to the web-based application server;
the user changing a login password; and
the user changing a user e-mail address; and
the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events;
the method further comprises:
analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information; and
analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including:
packet size;
clock skew between packets;
number of simultaneous sessions operated by the user;
browser type used by the user;
operating system type used by the user; and
time interval between service of a web-page by the web-based application server and response by the user machine.
8. A method of adding a risk-based user authentication capability to a pre-existing web-based application service running on the web-based application server, the method comprising installing a network analyzer device configured to perform the method of claim 1, without making a non-trivial modification to the pre-existing web-based application service running on the web-based application server to support risk-based user authentication.
9. A computer program product comprising a non-transitory tangible computer-readable storage medium, the tangible computer-readable storage medium storing instructions, which, when performed by a computing device, cause the computing device to perform the operations of:
sniffing packets traversing a network between a web-based application server and a user machine, the user machine being operated by a user;
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
sending the extracted event information to an authentication server for risk-based authentication of the user;
wherein:
the instructions direct the computer to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein the specific interaction events include events drawn from a set of application-layer events;
the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
the web-based application server provides a secure online banking service to the user as the web-based application.
10. The computer program product of claim 9 wherein, the instructions direct the computer to, when sniffing packets traversing the network between the web-based application server and the user machine, capture packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
11. The computer program product of claim 9 wherein the instructions direct the computer to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server:
examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein examining the sniffed packets to detect the specific interaction events that occur between the user machine and the web-based application server at the application-layer includes:
parsing web-based messages within the sniffed packets to generate a set of extracted application-layer fields; and
correlating the set of extracted application-layer fields with the specific interaction events.
12. The computer program product of claim 9 wherein the set of application-layer events includes:
the user logging in to the web-based application server;
the user changing a login password; and
the user changing a user e-mail address.
13. The computer program product of claim 12 wherein the instructions, when performed by the computer, further cause the computer to perform the operations of:
analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
14. A network analyzer device comprising:
a processor;
means for sniffing packets traversing a network; and
memory, the memory storing instructions, which, when performed by the processor, cause the processor to perform the operations of:
directing the packet sniffing means to sniff packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user;
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
sending the extracted event information to an authentication server for risk-based authentication of the user;
wherein:
the instructions direct the processor to, when analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, examine the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application-layer, wherein the specific interaction events include events drawn from a set of application-layer events;
the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
the web-based application server provides a secure online banking service to the user as the web-based application.
15. The network analyzer device of claim 14 wherein the instructions direct the processor to, when sniffing packets traversing the network between the web-based application server and the user machine, direct the packet sniffing means to capture packets traversing the network having either a source or destination network-layer address corresponding to a network-layer address of the web-based application server.
16. The network analyzer device of claim 14 wherein the set of application-layer events includes:
the user logging in to the web-based application server;
the user changing a login password; and
the user changing a user e-mail address.
17. The network analyzer device of claim 16 wherein the instructions, when performed by the processor, further cause the processor to perform the operations of:
analyzing the sniffed packets to extract ancillary information from a networking layer below the application-layer, the ancillary information relating to the detected specific interaction events between the user machine and the web-based application server; and
sending the extracted ancillary information to the authentication server for risk-based authentication of the user in connection with the extracted event information.
18. A system comprising:
a network gateway device, configured to connect a remote user machine to a network;
a web-based application server, connected to the network, the web-based application server being configured to provide, across the network gateway device, a web-based application service to a user operating the user machine; and
a network analyzer device, connected to the network gateway device, the network analyzer device configured to:
sniff packets traversing the network gateway device between the web-based application server and the user machine;
analyze the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server; and
send the extracted event information to an authentication server for risk-based authentication of the user;
wherein:
analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server includes examining the sniffed packets to detect specific interaction events that occur between the user machine and the web-based application server at an application layer;
the specific interaction events include events drawn from a set of application-layer events;
the authentication server is configured to perform risk-based authentication of the user by analyzing the specific interaction events drawn from the set of application-layer events; and
the web-based application server provides a secure online banking service to the user as the web-based application.
19. The computer program product of claim 13 wherein analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including:
packet size;
clock skew between packets;
number of simultaneous sessions operated by the user;
browser type used by the user;
operating system type used by the user; and
time interval between service of a web-page by the web-based application server and response by the user machine.
20. The computer program product of claim 12 wherein the set of application-layer events further includes:
the user directing the secure online banking service to make a monetary transfer;
the user adding an approved destination account for transfers;
the user modifying information associated with an approved destination account; and
the user changing a customer mailing address.
21. The network analyzer device of claim 17 wherein analyzing the sniffed packets to extract ancillary information from the networking layer below the application-layer includes detecting specific ancillary information from the networking layer below the application-layer drawn from a set of data including:
packet size;
clock skew between packets;
number of simultaneous sessions operated by the user;
browser type used by the user;
operating system type used by the user; and
time interval between service of a web-page by the web-based application server and response by the user machine.
22. The network analyzer device of claim 16 wherein the set of application-layer events further includes:
the user directing the secure online banking service to make a monetary transfer;
the user adding an approved destination account for transfers;
the user modifying information associated with an approved destination account; and
the user changing a customer mailing address.
US13/239,863 2011-09-22 2011-09-22 Using packet interception to integrate risk-based user authentication into online services Active 2031-11-14 US8683568B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/239,863 US8683568B1 (en) 2011-09-22 2011-09-22 Using packet interception to integrate risk-based user authentication into online services

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/239,863 US8683568B1 (en) 2011-09-22 2011-09-22 Using packet interception to integrate risk-based user authentication into online services

Publications (1)

Publication Number Publication Date
US8683568B1 true US8683568B1 (en) 2014-03-25

Family

ID=50289030

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/239,863 Active 2031-11-14 US8683568B1 (en) 2011-09-22 2011-09-22 Using packet interception to integrate risk-based user authentication into online services

Country Status (1)

Country Link
US (1) US8683568B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9456343B1 (en) 2013-12-18 2016-09-27 Emc Corporation Assessing mobile user authenticity based on communication activity
US11431719B2 (en) * 2020-06-23 2022-08-30 Bank Of America Corporation Dynamic access evaluation and control system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060155865A1 (en) * 2005-01-06 2006-07-13 Brandt David D Firewall method and apparatus for industrial systems
US20070220604A1 (en) * 2005-05-31 2007-09-20 Long Kurt J System and Method of Fraud and Misuse Detection
US20080002595A1 (en) * 2006-06-23 2008-01-03 Rao Umesh R Network monitoring system and method thereof
US20080281961A1 (en) * 2007-05-09 2008-11-13 Steven Niemczyk Network delay analysis including parallel delay effects
US20100027430A1 (en) * 2001-04-30 2010-02-04 Netwitness Corporation Apparatus and Method for Network Analysis
US20100046391A1 (en) * 2001-04-30 2010-02-25 Netwitness Corporation Apparatus and method for network analysis
US20100228650A1 (en) * 2007-08-27 2010-09-09 Correlsense Ltd. Apparatus and Method for Tracking Transaction Related Data
US20100287416A1 (en) * 2009-03-17 2010-11-11 Correlsense Ltd Method and apparatus for event diagnosis in a computerized system
US8261326B2 (en) 2008-04-25 2012-09-04 International Business Machines Corporation Network intrusion blocking security overlay

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100027430A1 (en) * 2001-04-30 2010-02-04 Netwitness Corporation Apparatus and Method for Network Analysis
US20100046391A1 (en) * 2001-04-30 2010-02-25 Netwitness Corporation Apparatus and method for network analysis
US20060155865A1 (en) * 2005-01-06 2006-07-13 Brandt David D Firewall method and apparatus for industrial systems
US20070220604A1 (en) * 2005-05-31 2007-09-20 Long Kurt J System and Method of Fraud and Misuse Detection
US20080002595A1 (en) * 2006-06-23 2008-01-03 Rao Umesh R Network monitoring system and method thereof
US20080281961A1 (en) * 2007-05-09 2008-11-13 Steven Niemczyk Network delay analysis including parallel delay effects
US8095649B2 (en) * 2007-05-09 2012-01-10 Opnet Technologies, Inc. Network delay analysis including parallel delay effects
US20130067073A1 (en) * 2007-05-09 2013-03-14 Steven Niemczyk Network delay analysis including parallel delay effects
US20100228650A1 (en) * 2007-08-27 2010-09-09 Correlsense Ltd. Apparatus and Method for Tracking Transaction Related Data
US8261326B2 (en) 2008-04-25 2012-09-04 International Business Machines Corporation Network intrusion blocking security overlay
US20100287416A1 (en) * 2009-03-17 2010-11-11 Correlsense Ltd Method and apparatus for event diagnosis in a computerized system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9456343B1 (en) 2013-12-18 2016-09-27 Emc Corporation Assessing mobile user authenticity based on communication activity
US11431719B2 (en) * 2020-06-23 2022-08-30 Bank Of America Corporation Dynamic access evaluation and control system

Similar Documents

Publication Publication Date Title
US10795992B2 (en) Self-adaptive application programming interface level security monitoring
CN110472414A (en) Detection method, device, terminal device and the medium of system vulnerability
US20190044968A1 (en) Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers
EP2447878B1 (en) Web based remote malware detection
CN103139138B (en) A kind of application layer denial of service means of defence based on client detection and system
Bin et al. A DNS based anti-phishing approach
US20090126014A1 (en) Methods and systems for analyzing security events
CN104348803B (en) Link kidnaps detection method, device, user equipment, Analysis server and system
US20160337378A1 (en) Method and apparatus for detecting security of online shopping environment
CN101505247A (en) Detection method and apparatus for number of shared access hosts
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
US9042863B2 (en) Service classification of web traffic
WO2009055785A2 (en) Fraud detection using honeytoken data tracking
CN104239577A (en) Method and device for detecting authenticity of webpage data
CN104580230B (en) Verification method and device are attacked in website
CN102710770A (en) Identification method for network access equipment and implementation system for identification method
CN106330944A (en) Method and device for recognizing malicious system vulnerability scanner
CN107689951A (en) Web data crawling method, device, user terminal and readable storage medium storing program for executing
CN107046544A (en) A kind of method and apparatus of the unauthorized access request recognized to website
US8910281B1 (en) Identifying malware sources using phishing kit templates
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
US8683568B1 (en) Using packet interception to integrate risk-based user authentication into online services
KR20160013733A (en) System and method for realtime detection of abnormal financial transaction
CN112910915A (en) Trusted connection authentication method, device, equipment and computer readable storage medium
CN107395637A (en) Http tunnels active detecting method, terminal device and storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KHITRENOVICH, ANTON;PEER, ODED;FREYLAFERT, OLEG;REEL/FRAME:027079/0467

Effective date: 20110926

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

AS Assignment

Owner name: EMC IP HOLDING COMPANY LLC, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EMC CORPORATION;REEL/FRAME:040203/0001

Effective date: 20160906

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., T

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001

Effective date: 20200409

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: WYSE TECHNOLOGY L.L.C., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MOZY, INC., WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MAGINATICS LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: FORCE10 NETWORKS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC IP HOLDING COMPANY LLC, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SYSTEMS CORPORATION, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SOFTWARE INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL MARKETING L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL INTERNATIONAL, L.L.C., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: CREDANT TECHNOLOGIES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: ASAP SOFTWARE EXPRESS, INC., ILLINOIS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

AS Assignment

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

AS Assignment

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329